Npm libp2p kad dht Security Advisory//Published on 2026-05-20//CVE-2026-45783

WP-FIREWALL SECURITY TEAM

Unvalidated PUT_VALUE Vulnerability in @libp2p/kad-dht

Plugin Name @libp2p/kad-dht
Type of Vulnerability Security Advisory
CVE Number CVE-2026-45783
Urgency High
CVE Publish Date 2026-05-20
Source URL CVE-2026-45783

Unvalidated PUT_VALUE in @libp2p/kad-dht (CVE-2026-45783): What WordPress Site Owners Need to Know and How to Protect Your Sites

Summary: A high‑priority vulnerability (CVE-2026-45783 / GHSA-32mq-hpph-xfvr) was published for the npm package @libp2p/kad-dht (patched in 16.2.6). The issue allows unvalidated PUT_VALUE records to be stored without bounds on DHT server nodes, potentially exhausting disk space and causing denial-of-service or facilitating persistent abuse on affected Node.js hosts. While this is a Node ecosystem vulnerability, WordPress site owners and administrators should pay attention — the modern WordPress ecosystem frequently overlaps with Node.js tooling, headless architectures, build pipelines, and bundled microservices that may use libp2p. This post explains the vulnerability, real-world impact for WordPress environments, detection steps, mitigations (including immediate WAF-based protections), incident response, and long-term hardening.

TL;DR — Quick action items

  • Vulnerability: Unvalidated PUT_VALUE records can cause unbounded disk exhaustion on DHT server nodes in @libp2p/kad-dht versions < 16.2.6. CVE-2026-45783, CVSS 7.5.
  • Immediate mitigation: Update @libp2p/kad-dht to 16.2.6 or later wherever it is used. Rebuild and redeploy Node-based services and CI artifacts.
  • If you cannot update immediately: block or restrict network access to Node processes exposing DHT endpoints; apply WAF rules to block suspicious DHT traffic; enforce process disk quotas and rate limits.
  • WordPress-specific: Audit plugins/themes and hosting for bundled Node services, headless frontends, CI runners, and developer machines with DHT-enabled services; scan for the package in your codebase and artifacts.
  • Use layered defenses: host-level disk quotas, containerization, WAF/IDS, secure CI/CD practices, and dependency monitoring.

The vulnerability in plain English

libp2p is a modular networking stack used to build peer-to-peer apps. The kad-dht module implements a Kademlia-style distributed hash table (DHT) that supports PUT_VALUE operations — writing key-value records to the DHT.

CVE-2026-45783 describes a failure to validate PUT_VALUE records properly on DHT server nodes. Attackers can send numerous or very large PUT_VALUE requests that the server will accept and persist without appropriate size, count, or origin validation. Because the storage of those records is unbounded, an attacker can cause disk exhaustion: the process keeps writing records until the disk is full, leading to denial-of-service or other corruption on the host.

Key points:

  • Requires network access to a DHT node (no prior auth required).
  • Low complexity to exploit at scale — automated scripts can flood the node.
  • Impacts Node.js processes running vulnerable versions of @libp2p/kad-dht (< 16.2.6).
  • Patched release: 16.2.6.

Why WordPress site owners should care

At first glance this looks like a Node-only problem and unrelated to WordPress (PHP). But the WordPress ecosystem has many touch points with Node:

  • Build tools and asset pipelines: Themes and plugins often include JS build steps (webpack, vite) in the development process. CI systems or developer machines running Node may include dependencies that are vulnerable.
  • Headless and hybrid architectures: Many modern WordPress sites use headless front-ends (React/Vue) that run Node servers or microservices that might include libp2p for P2P features or experiments.
  • Bundled microservices: Plugins or hosting vendors sometimes ship or run Node-based microservices for realtime features, image processing, or integrations; these could use vulnerable npm modules.
  • Developer workstations and CI runners: If your developers use the vulnerable library in local or CI environments connected to production networks, exploitation or resource exhaustion could spill over to shared infrastructure (e.g., shared CI runners, developer-hosted staging).
  • Managed hosting and platform components: Some hosts run Node-based services for caching, proxying, or analytics; exhaustion there can disrupt WordPress sites hosted on the same infrastructure.

In short: even if your WordPress site code is purely PHP, your site’s uptime and data integrity may depend on Node processes in the broader hosting stack.

Exploitation scenarios relevant to WordPress environments

  1. Shared hosting environment
    – A host runs a Node-based service for many customers (e.g., a real-time analytics service or a P2P syncing service using libp2p).
    – An attacker floods that service with PUT_VALUE records causing disk exhaustion.
    – The host’s disk fills up and other tenants (including WordPress sites) suffer outages.
  2. Plugin- or theme-bundled Node microservice
    – A plugin bundles a helper Node service (e.g., for image optimization, realtime chat, or websocket bridging).
    – The microservice uses @libp2p/kad-dht <16.2.6.
    – Attacker triggers unbounded writes to that service, causing the underlying container or VM to run out of disk or crash.
  3. CI/CD or developer tooling
    – A CI runner or developer machine exposed to the internet (or accessible via compromised credentials) runs a DHT node.
    – Disk fills and build artifacts are lost; continuous deployment pipelines fail and production deploys stall.
  4. Headless frontends and proxies
    – A headless WordPress front-end relies on a Node server for SSR or data-syncing.
    – The Node server is attacked and disabled, rendering front-end unavailable though the WordPress back-end remains.
  5. Lateral movement and persistence
    – Disk exhaustion may be used as a diversion or to corrupt logs/monitoring, aiding further attacks against WordPress components.

How to find out if you’re affected

Step 1 — Search your codebase and artifacts

  • Search for the package in repository files and lockfiles:
    • grep -R "@libp2p/kad-dht" .
    • npm ls @libp2p/kad-dht || true
    • yarn why @libp2p/kad-dht || true
  • Inspect package-lock.json / yarn.lock for versions < 16.2.6.

Step 2 — Inspect deployments and containers

  • Check running processes on servers for Node processes that might be DHT nodes:
    • ps aux | grep node
    • lsof -nP -iTCP -sTCP:LISTEN | grep node
    • ss -plnt
  • For containers, list images and inspect:
    • docker ps --format '{{.ID}} {{.Image}}' && docker inspect <id> | grep -i libp2p -R

Step 3 — CI/CD and developer machines

  • Ask developers whether tests/build servers use libp2p or kad-dht.
  • Scan CI runners’ images, prebuilt artifacts, or caches for the package.

Step 4 — Hosting vendor / managed services

  • Contact your host to verify whether any managed Node services or platform components use the vulnerable library.

Step 5 — Logs and telemetry

  • Look for spikes in disk writes, unusual file growth in DHT storage locations, errors indicating “no space left on device,” or sudden application crashes.
  • Alerts to watch: filesystem usage >85%, repeated PUT_VALUE or DHT write entries in Node app logs, sudden increase in network traffic to Node processes.

Immediate mitigation — update and rebuild (recommended)

  1. Update
    – Wherever @libp2p/kad-dht is used, update to version 16.2.6 or later.
    – Run:

    • npm install @libp2p/kad-dht@^16.2.6
    • npm update

    – For transitive dependencies, update the parent package or run npm dedupe and rebuild lockfiles.

  2. Rebuild artifacts
    – Rebuild and redeploy any frontend bundles, Docker images, and server artifacts that include Node modules.
    – Replace images in registries and redeploy Kubernetes Pods or containers.
  3. Restart services
    – Restart Node services after updating to ensure the patched version is loaded.
  4. Confirm
    npm ls @libp2p/kad-dht should show 16.2.6 or later.
    – Verify running processes are using the updated artifacts.

If you cannot update immediately — temporary mitigations

Network access controls

  • Isolate DHT nodes: restrict inbound traffic to known peers using host firewall (iptables/nft) or cloud security groups.
  • Deny external access: block the ports/protocols used by your Node DHT node from the public internet.
  • Use network ACLs to prevent untrusted peers from connecting.

WAF / application-layer protections

  • Implement WAF rules to detect and block suspicious DHT PUT-like requests. While a DHT uses libp2p frames (not regular HTTP), if your environment proxies or exposes HTTP endpoints or custom ports for Node, you can block requests that match DHT protocol indicators or abnormal size/patterns.
  • Rate-limit connections from external peers to Node processes.

Process-level and OS mitigations

  • Enforce per-process disk quotas (cgroups, systemd, or container storage quotas) to prevent a single process from consuming all disk space.
  • Run Node services in containers with limited writable storage. Use read-only image layers and separate ephemeral writable volumes with size limits.
  • Use tmpfs or small dedicated volumes for any temporary storage used by the DHT to limit damage.

Monitoring and early warning

  • Configure alerts for abnormal disk usage and a sudden increase in write I/O.
  • Monitor the number of PUT operations if your Node app exposes metrics (Prometheus, etc.).

Example: basic iptables block (replace <port> and <proto> as appropriate)

# Block external access to a Node DHT port
iptables -A INPUT -p tcp --dport 4001 -j DROP
iptables -A INPUT -p udp --dport 4001 -j DROP

Example: systemd cgroup limits (service unit snippet)

[Service]
MemoryMax=1G
TasksMax=200
# Limit disk IO (requires systemd IOAccounting)
IOReadBandwidthMax=/var/lib/my-node-service 10M
IOWriteBandwidthMax=/var/lib/my-node-service 10M

These are stop-gap measures — the true fix is to patch.

Suggested WAF signatures and behavioral detections

Because libp2p DHT traffic is non-HTTP in many cases, direct WAF signature detection can be limited unless the Node service exposes HTTP endpoints. Still, within the hosting environment and in proxy layers you can:

  • Block unusually large request payloads to any endpoint associated with Node services.
  • Detect and block high-frequency connections from the same remote IP or ASN targeting DHT ports.
  • Match on known libp2p handshake patterns if proxied via HTTP or if logs include such patterns (e.g., multiaddr, “kad-dht” strings).
  • Monitor for sudden growth of specific storage directories used by the Node service (application-level rule to block requests when disk usage threshold is crossed).

Example ModSecurity-style pseudo-rule to block oversized writes (if Node service is behind an HTTP proxy):

SecRequestBodyLimit 131072
SecRule REQUEST_BODY_LENGTH "@gt 131072" \n  "id:100001,phase:2,deny,log,msg:'Large request body blocked (possible PUT_VALUE abuse)',severity:2"

Note: tailor limits to normal traffic patterns to avoid false positives.

Developer guidance — how to fix code using libp2p/kad-dht

If you maintain code that calls PUT_VALUE or stores DHT records, apply the following best practices:

  • Validate record size: reject or truncate values beyond a safe maximum (for example, 64 KB or a size determined by your storage capacity).
  • Limit the number of records per key and per peer.
  • Enforce expiration (TTL) and garbage collection of old records.
  • Authenticate and authorize writes if possible — require peers to prove legitimacy before accepting persistent writes.
  • Rate-limit write operations per peer IP or per peer ID.
  • Use content-addressable storage (e.g., CID) and only persist payloads if they match allowed formats.
  • Implement size and quota checks before disk writes and handle “disk full” gracefully (fail closed).

Example Node pseudo-code pattern:

async function safePutValue(store, key, value, peerId) {
  const MAX_VALUE_SIZE = 64 * 1024; // 64 KB
  const MAX_RECORDS_PER_PEER = 100;

  if (Buffer.byteLength(value) > MAX_VALUE_SIZE) {
    throw new Error('Value size exceeds allowed maximum');
  }
  if (await peerRecordCount(peerId) > MAX_RECORDS_PER_PEER) {
    throw new Error('Peer exceeded record quota');
  }
  // Atomically check disk space or quota before write
  if (!hasSufficientDiskSpace()) {
    throw new Error('Insufficient disk space for new DHT record');
  }
  return store.put(key, value);
}

Detection and response — an incident handling playbook

  1. Isolate
    • Remove the Node process from external network exposure immediately (iptables rules, stop service, remove public route).
    • Quarantine affected container/VM to prevent lateral movement.
  2. Preserve evidence
    • Save logs (Node app logs, system logs, network captures).
    • Snapshot disks (if possible) for offline analysis.
  3. Stop the writes
    • Stop or pause the offending Node process.
    • Disable any DHT-facing ports and revert firewall rules.
  4. Analyze
    • Search logs for large volumes of PUT_VALUE-like writes or repetitive writes from same peers.
    • Identify the directory used to store DHT records and enumerate suspicious files.
  5. Clean up
    • Remove malicious or oversized records.
    • Reclaim disk space carefully; ensure you don’t delete legitimate data.
    • Rebuild and redeploy Node processes after patching.
  6. Patch and harden
    • Update @libp2p/kad-dht to 16.2.6+.
    • Rebuild and redeploy artifacts from trusted CI with fresh lockfiles.
    • Apply quotas and network restrictions.
  7. Post‑incident actions
    • Rotate keys / credentials if there is any indication of compromise beyond resource exhaustion.
    • Update incident logs and root cause analysis.
    • Communicate with stakeholders and, if applicable, your hosting provider.

Forensic indicators to look for

  • Unusually rapid growth of files in Node service storage directories.
  • High counts of PUT or write operations in Node application logs.
  • Multiple connections coming from many ephemeral IPs targeting the Node process.
  • System log entries: “no space left on device”, crash/restart loops for Node processes.
  • High disk i/o and CPU usage from Node processes.
  • Presence of many randomized keys/records in the DHT store (e.g., lots of unique keys with large payloads).

Collect these artifacts for your incident report and forensics.

How to test your environment

  • Use npm audit / snyk / other dependency scanners to identify @libp2p/kad-dht usage and versions.
  • Locally simulate an attack (in a controlled lab) to verify mitigations — spawn a test Node DHT server and attempt to send oversized PUT_VALUE payloads. Monitor quotas and WAF rules.
  • Test WAF rules and rate limits for false positives before enabling at scale.
  • Run integration tests for build pipelines to ensure dependency updates don’t break production artifacts.

Command checklist:

  • npm ls @libp2p/kad-dht
  • grep -R "@libp2p/kad-dht" .
  • find / -type d -name "node_modules" -exec grep -H "@libp2p/kad-dht" {} \;
  • Check container images: docker run --rm <image> sh -c 'npm ls @libp2p/kad-dht || true'

Long-term risk reduction and secure architecture recommendations

  • Least privilege and network segmentation: keep Node microservices isolated from public networks and WordPress PHP processes unless explicitly needed.
  • Immutable infrastructure: rebuild and redeploy images with patched dependencies rather than patching in place.
  • CI pipeline hardening: scan and reject builds that include known vulnerable dependencies; sign and verify artifacts.
  • Dependency hygiene: prefer pinned versions and controlled updates; use tools that alert on newly published advisories.
  • Resource quotas: apply cgroup/container limits for writes and storage per service.
  • Observability: instrument Node services with metrics for DHT operations (writes/reads), disk usage by service, and alerts for unusual activity.
  • Vendor and third-party management: require third-party plugin/theme authors to declare and update Node dependencies if they ship Node services.

Frequently asked questions

Q: My WordPress site is pure PHP and runs on Apache/Nginx with no Node processes. Am I safe?
A: If there are no Node processes, you are not directly affected. However, check whether your host, CDN, or plugin provider runs Node services on your behalf. Also confirm that build artifacts (bundled Node modules) are not executed on your production servers.

Q: I use a plugin that says it “bundles a Node helper.” What should I do?
A: Ask the plugin vendor whether they use @libp2p/kad-dht and which version. If vulnerable, request or apply an update that includes the patched version. In the meantime, isolate or disable the helper service if safe to do so.

Q: Does the vulnerability allow data theft from WordPress sites?
A: The primary risk documented is resource exhaustion (disk fill). While direct data theft is not the immediate concern of this CVE, disk exhaustion can disrupt services, delete or corrupt logs, and create conditions that aid attackers. Treat it seriously.

How WP-Firewall helps protect WordPress sites

As a managed WordPress security provider, WP-Firewall delivers layered protections that reduce risk both for classic WordPress installations and for environments that include Node components:

  • Managed firewall and WAF: we create and distribute application-layer signatures and rate-limiting rules that can block suspicious traffic patterns, large or abnormal payloads, and high-frequency connection attempts that precede DHT abuse.
  • Malware scanning: our scanner monitors file-system anomalies and sudden file growth that are primary indicators of disk-exhaustion attacks.
  • Mitigation of OWASP Top 10 risks: preventing common vectors reduces the chance of lateral movement into developer machines or CI.
  • Protection for mixed environments: if your WordPress architecture includes headless or Node-backed services, WP-Firewall provides rules and recommendations to isolate and protect those components.
  • Free plan features: essential protection including managed firewall, unlimited bandwidth, a WAF, malware scanning, and mitigation coverage for OWASP Top 10 risks.

We recommend all site owners evaluate their exposure and, where appropriate, enable firewall protections that include rate limiting, IP reputation blocking, and anomaly detection to mitigate attacks such as CVE-2026-45783 until full patches are applied.

A practical remediation checklist (step-by-step)

  1. Inventory
    – Identify all Node instances, containers, and CI runners. Search repos and artifacts for @libp2p/kad-dht.
  2. Patch
    – Update to @libp2p/kad-dht >= 16.2.6.
    – Rebuild images, artifacts, and redeploy.
  3. Isolate
    – Block external network access to DHT nodes pending validation.
    – Enforce per-process disk quotas and container storage limits.
  4. Harden
    – Add rate limits and WAF rules for Node services.
    – Limit peers allowed to write to DHT stores where feasible.
  5. Monitor
    – Alert on disk usage spikes and abnormal write patterns.
    – Watch for increases in traffic to DHT-related ports.
  6. Test
    – Validate that dependencies and services function correctly with the patched library.
    – Run recovery tests (restart, failover) in a controlled environment.
  7. Report and communicate
    – Inform host/third-party vendors if their components are affected.
    – Document the incident and lessons learned.

New: Start with WP‑Firewall Free to raise your immediate protection baseline

Title: Strengthen your site quickly — start with WP‑Firewall Free

If you’d like immediate, no-cost protection while you perform dependency audits and coordinate patching, consider starting with the WP‑Firewall Basic (Free) plan. It provides essential protections — a managed firewall, WAF rules, unlimited bandwidth, malware scanning, and OWASP Top 10 mitigation — to reduce the chance that a related attack against Node services will impact your WordPress site. Sign up and get protected quickly at: https://my.wp-firewall.com/buy/wp-firewall-free-plan/

If you need faster automated remediation, scheduled scanning, or virtual patching while you update complex stacks, our paid tiers add automated malware removal, more granular IP controls, and auto virtual patching features to help bridge the gap between detection and full patch deployment.

Final words — why timely action matters

CVE-2026-45783 is high priority for a reason: resource exhaustion attacks are amplifiers for larger outages and can be triggered with relatively low effort. For WordPress site owners the risk is often indirect — but operational dependencies mean indirect risks produce direct outages. The safest path is: inventory, patch, rebuild, and harden. Use layered defenses — network controls, per-process quotas, WAF protections, and monitoring — to protect your platform while updates propagate through your supply chain.

If you need help auditing your WordPress site for Node dependencies, setting up WAF signatures, or implementing temporary mitigations while you patch, our security team can assist with advisory guidance and managed protections.

Stay safe, and prioritize patching for any service that touches your production environment.

— WP‑Firewall Security Team

wordpress security update banner

Receive WP Security Weekly for Free 👋
Signup Now!!

Sign up to receive WordPress Security Update in your inbox, every week.

We don’t spam! Read our privacy policy for more info.

Contact us to schedule a complimentary WordPress Security consultation

Contact Us

WP-Firewall
6/F, The Rays, 71 Hung To Road, Kwun Tong, Kowloon, Hong Kong

Features Pricing Blog Login
Privacy Policy Terms of Service Docs Affiliate

© 2026 WP-Firewall™